Cryptography is the science of information security in which cryptographic systems are developed to protect data from unauthorized requesters. One aspect of cryptography is encryption, which provides data confidentiality. With encryption, a computer system converts input data, e.g., text or video content, into encrypted data, commonly referred to as cipher data. The cipher data is transmitted to another computer system, which cannot decrypt the cipher data without the proper key.
Another aspect of cryptography is authentication, which protects the access to data. Authentication involves a process to determine whether a requester is authorized to have its request fulfilled, e.g., whether the requester is authorized to receive or access data. Some cryptographic systems use a random or pseudorandom number as part of an authentication process. A pseudorandom number, which is produced by a pseudorandom number generator, is a number whose possible values may not have an equal chance of occurring, and may be predictable in that one pseudorandom number is useful in determining the value of a subsequent pseudorandom number. When used as part of an authentication process in a cryptographic system, a pseudorandom number should be as unpredictable as possible.
Entropy is a measure of unpredictability. To provide a high level of entropy, a pseudorandom number generator should generate pseudorandom numbers whose possible values have an equal chance of occurring, and past pseudorandom numbers should not be useful in predicting subsequent pseudorandom numbers. In other words, a pseudorandom number generated by a pseudorandom number generator should be indistinguishable from a random number produced by a random number generator. Because a pseudorandom number generator typically has its initial state established, or “seeded,” by gathering truly random data from its physical environment, a pseudorandom number generator may be compromised if there is insufficient entropy in its initial state or “seed.” However, the pseudorandom number generator may be influenced by ongoing operations, and thus may pick up additional truly random data from its environment as it continues to operate, thereby enhancing its unpredictability.
If a pseudorandom number used as part of an authentication process is not generated with a sufficient level of entropy, an unauthorized requester that gains access to the communication between, for example, a transmitter and a requester of data from the transmitter, may be able to become authenticated during an authentication process that uses the pseudorandom number. For example, using a pseudorandom number generated with insufficient entropy, an unauthorized computer system might be able to limit the possible values of subsequently generated pseudorandom numbers and predict a subsequently generated pseudorandom number. This would, in accordance with an example authentication protocol, enable the unauthorized computer system to impersonate the transmitter by sending the predicted pseudorandom number to the receiver. Because the predicted pseudorandom number has the value of a pseudorandom number that could have come from the transmitter, the receiver would send to the unauthorized computer system a response that would be valid if the pseudorandom number had come from the transmitter.
The unauthorized computer system could thus impersonate the receiver by sending to the transmitter the receiver's response to the predicted pseudorandom number. As a result, the unauthorized computer system would be authenticated as an authorized recipient of data from the transmitter. Thus, a pseudorandom number should be generated with a sufficient level of entropy such that the pseudorandom number cannot be used to determine the value of a subsequently generated pseudorandom number.